Solved

HTML Based Windows Authentication

Posted on 2004-10-25
437 Views
Last Modified: 2013-12-24
I am trying something new with authentication and our intranet site. Basically I am dissabling our current method of authentication and moving to a Widows Based authentication (Built into IIS). The problem is our users are not always at their computers at work. Basically, what I am trying to do is replace the ugly windows username and password popup with an HTML form that does the same task. Any suggestions on how to go about this?
0
Question by:JoshDale
    17 Comments
     
    LVL 22

    Expert Comment

    by:pinaldave
    Kerberos is the answer but I can clearly see that it is very complex and hard to implement.

    There is some info on MS site : http://support.microsoft.com/kb/308160/EN-US/
    http://support.microsoft.com/default.aspx?scid=kb;en-us;324276

    Regards,
    ---Pinal
    0
     

    Author Comment

    by:JoshDale
    Well, I know how it works a little better. It doesn't really talk about how information is transfered via client-->server though.
    0
     
    LVL 7

    Expert Comment

    by:INSDivision6
    You cannot emulate Windows authentication (NTLM) in HTML.  However, for intranet you don't need to do so at all,  as it was pointed out already.  This is because clients are authenticated already.  So, you need just handle permissions on the server.
    0
     

    Author Comment

    by:JoshDale
    Yea, this is only for users that are accessing the intranet remotely. And I won't actually be using HTML, I will actually be using flash, I just thought it would be easier describing the situation using HTML.
    0
     
    LVL 7

    Expert Comment

    by:INSDivision6
    If you wanna implement real built-in IIS security, it is not possible, unless you make them somehow proper login in flash, so the client's browser will run under an appropriate account.  Don't think it is possible on computers, which are not members of a domain whithout IE pop-up box.  There are Windows HTTP functions, of course, which allow "invisible" login, but we are talking just about using a browser?
    0
     

    Author Comment

    by:JoshDale
    Yes, I was just wondering if you can replace the ugly ass popup windows gives you ;o) with an HTML or Flash based login screen. This was pretty much just for aesthetic reasons, I can probably live with it... I guess... If I have to ;o).

    Thanks for the help
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    Josh, I have come accross a some stuff to determine the currently authenticated user from within CF, but I would have to dig for a while to find it. To be honest, I do not believe it is worth the effort JUST to make the login window look different - and they would get it anyway! If you require authentication on your pages (whether basic or integrated), then windows will get to it first and the client will display the UGLY login window.

    Of course it is theoretically possible to get the user authentication information from the user thru a non-protected page, and then authenticate them against windows and forward them to the protected pages, but that would take me at least a day to find out in detail how to do that, and it would be an ugly hack deep down the windows internals, all proxied thru CF's Java layer - mind you.

    One final note: In basic user http authentication, the password is sent in clear text. If you use NTLM, then CF will not access have access to the authentication (see your previous post too).

    Sorry man. The best and safest way to login people is to use SSL for the transport, and whatever your backend authentication databases is, whether SQL, LDAP, or - with the proper hooks, Active Directory or the machine-local user database.
    0
     

    Author Comment

    by:JoshDale
    Actually, I have been putting alot of thought into this, couldn't I just use CGI variables to check the current user (if they are logged on locally through our domain). I could then run a check to see if the user is logged in and if they aren't I could then throw them the login page.
    What do you think of this?
    0
     

    Author Comment

    by:JoshDale
    I am looking at the CGI variable list and came up with these:
    CGI.Auth_Password (I would assume this is to see what password the user used when they used Basic Windows Auth correct?)
    CGI.Auth_User (I would also assume this is based on Basic Windows Auth)

    CGI.Remote_Addr (I could get this information and if the users ip isn't within a certain range 192.168.0.0 - 192.168.255.255 I can throw the login page)
    CGI.Logon_User (Can I use this without Basic Authentication to see the username of the person accessing the site?)

    Sorry, I am relatively new to CF still. The descriptions for some of these vars are sort of vague.
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    You can determine the logged-on user thru CGI variables, IF they logged on already, that means, AFTER they saw the login-in screen - if if they are at your office. And you page will not be executed UNLESS they logged on.
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    its supposed to say: AFTER they saw the login-in screen - OR if they are at your office

    You could do anything you want with any of those values. But what I said in my last comment still applies.
    0
     

    Author Comment

    by:JoshDale
    What I am thinking is I can check a number of things in this order.

    1. Cookie         If they have been logged in before, I can use a cookie to store their information.
    2. Username    Check to see if their username matches that of what is on the database.
    3. IP Address   Check to see if their ip address matches that of our company scope.

    if NOT

    Send the user to the login page regardless.
    0
     
    LVL 8

    Expert Comment

    by:sigmacon
    Josh, I think we are not talking about the same thing. You said you wanted to get rid of the "ugly" login/authentication popup that external users get when they connect to your website? If that's so, then YOU WILL NOT BE ABLE TO DO ANYTHING IN COLDFUSION AT THIS POINT, BECAUSE CF HAS NOT EVEN BEEN CALLED YET. If that's not the problem you have, please describe what you are trying to do more specifically.
    0
     

    Author Comment

    by:JoshDale
    That was, but I was revaluating the solution. Instead of using Windows Authentication, why don't I just get the users information and use that to authenticate the user; for example Username and IP Address. I can check to see if the Username matches one in the system, if so, I can then check to see if the users IP Address is within the acceptable range. If any of those conditions fail, I just pass a login page to them. This way, the user doesn't have to login if they are in our local domain but would have to under all circumstances.
    0
     
    LVL 8

    Accepted Solution

    by:
    You would be 1000% safer with your first approach, because it's not home-grown and also protects your entire website. To compromise security just to get rid of some popup window does not seem balanced. Authenticating based on IP address is always a bad idea, because they could be spoofed. But if the convenience is more important, then your approach is definitely viable. I hope I could be of some help.
    0
     

    Author Comment

    by:JoshDale
    IP Address and Username
    0
     

    Author Comment

    by:JoshDale
    Wow, I just had the biggest brail lapse of all time. I just remembered God invented cookies for a reason right???

    Thanks for the help sigmacon.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
    Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now